NIST SP 800-171 Rev 2 requirement 3.10.3 mandates that organizations escort visitors and monitor visitor activity in areas where CUI is stored, processed, or transmitted. A visitor is any individual who is not an authorized organizational user, including contractors, vendors, auditors, customers, and delivery personnel who enter controlled physical spaces. Escorting means an authorized employee maintains physical proximity to the visitor at all times within the protected area and actively supervises their movements. Monitoring visitor activity means observing, and where appropriate recording, what visitors do while present so that any attempt to access systems, media, or CUI without authorization is detected. Together, these controls prevent insider threat vectors introduced through temporary physical access and ensure accountability for all individuals present in sensitive areas.
Where it stops · what it isn't
- —This practice does not govern logical or network access controls for remote visitors or third-party remote sessions — those are addressed by AC domain practices.
- —This practice does not define the criteria for granting visitor access in the first place; physical access authorization is addressed in PE-L2-3.10.1.
- —This practice does not require surveillance of visitors in publicly accessible areas of the facility outside of CUI-handling zones.
- —This practice does not cover the background investigation or vetting of visitors, which falls under personnel security domain requirements.
- —This practice does not mandate specific video surveillance technology; organizations may use human escorts alone, supplemented by cameras, depending on their environment.
Connected concepts in the graph
Every cubelet sits in a knowledge graph. Here's what this one connects to.